On 8 December 2022, Minister for Home Affairs Clare O’Neil announced a review of Australia’s cybersecurity strategy, updating the 2020 strategy. The need for something new reflects both the freneticism of cyber—a constant hammering of breaches, intrusions, and attacks, and pressure to respond—and the short shelf life of much strategy in a changeable world.
There’s a problematic sameness to cyber security strategies: protect more, do more, do it smarter and do it with others. As Ian Levy, former Technical Director at the UK’s National Cyber Security Centre, has observed, government policies continue to tackle the symptoms rather than addressing the underlying problem. Cyber is difficult, messy, ever-expanding; fixing it breaks stuff; and fixing it is expensive.
In Australia, government has responded by outsourcing efforts to manage cyber issues to industry, by placing more responsibility on companies and boards, enforcing the collection of data, and retaining power to force companies to make technology accessible to government.
That’s not well-suited, long-term, to a democracy.
First, industry does not pursue national, civic, or democratic interests—and especially so when most key companies are headquartered overseas or dependent on foreign technologies. These are all responsibilities we attribute to representative governments. Like risk, they cannot be outsourced.
Second, cyber is matter of policy. Policy—public policy—tackles wicked problems, untameable through a legal instrument or a technical fix. Policy must contend with competing stakeholders, deliver within tight resource constraints, work with incomplete and uncertain information, and often changes as the environment shifts and prospective solutions evolve.
Third, government needs to develop and retain the knowledge and skills to understand and manage the cyber challenge. Cyber is now foundational, inherent in the digital and data systems that underpin our economy, national security, and social wellbeing. The knowledge and skills needed are not simply STEM, though technical understanding and experience are a major gap in Australia’s policymaking apparatus.
Cyber is as much a governance, social, financial, ethical and communication issue as it is a national security or technical issue. So policy must ‘think’ in terms of ecologies of capabilities, plastic not rigid systems, diverse knowledge sets, and over both short and long-term time horizons.
Importantly, policy is needed for the conceptual framing of strategy. Broadly speaking, the purpose of strategy is to secure the objectives of policy: it forms the bridge between means and ends.
Good strategy, according to Richard Rumelt, comprises a ‘kernel’ of three elements: a diagnosis of the nature of the challenge; a ‘guiding policy’ for dealing with the challenge; and, a set of coherent actions designed to realise the guiding policy.
Diagnosing the challenge is far from easy. As Rumelt notes, a good deal of effort is needed just to determine what is actually going on.
Understand cyber is complicated by the lack of a definitive formulation. How it is understood depends on one’s perspective and one’s idea of how it may be resolved. Lawyers and legislators tend to reach for legal solutions, technologists for technical solutions, and diplomats for international negotiations. All offer necessary insight but are of themselves insufficient for a diagnosis.
Further, cyber has its own logic, distinct from conventional or nuclear strategy. That inherently limits the use of analogies with past situations, common in foreign and defence policy.
Based on experience thus far, cyber poses less the prospect of a ‘cyber-Pearl Harbor’ and more of deep corrosion and institutional rot. Cyber vulnerabilities continue to be built into our systems, embedding the rot. Yet while there are infinite micro-vulnerabilities, affecting individuals and specific systems, societies and economies—and democracies—have proven macro-resilient.
Such an interpretation suggests a different focus, domain of action and means of effect than perhaps has been employed when considering prospective catastrophe.
The next step is the development of the guiding policy. A guiding policy helps generate coherence amongst many different actors, in a noisy, ill-defined, and contested field.
The government’s intent will shape the guiding policy. For example, the UK has advanced the notion of ‘cyber power’, reflecting a Britain more forward leaning into international affairs. The EU’s cyber defence emphasises working together, aligning with the EU’s ethos of engagement and consensus building. Famously, George Kennan’s proposed containment policy provided the guiding policy for Western prosecution of the Cold War.
O’Neil’s interest in democracy could shape the cyber strategy. If we assume a diagnosis of corrosion and rot, yet macro-resilience, then the guiding policy may focus on strengthening institutions, civil society, and individual agency.
That contrasts with a preference for efficiency, for example, where the guiding policy might focus on consolidation of all digital and data assets and elimination of less valued systems, so reducing cost and vulnerabilities.
And should government be sufficiently ambitious to address the root causes of cyber, then the guiding policy could focus on foundational science and engineering, mandating the use of new systems, and proving support for organisational and industry change.
Last, there is the series of coherent actions needed to realise the guiding policy. Assuming a preference for democracy, we could expect some logical configuration of initiatives such as
- promotion of democratic norms in cyber-related forums;
- development of international standards aligned with democratic values;
- international and domestic capability and capacity building;
- an uplift of technology education, enabling informed participation in society; and
- strengthening of privacy and encryption provisions.
Whatever the set of actions, they will need leadership, knowledge and funding, else the strategy will remain words resting on a shelf. But without a realistic, insightful diagnosis and a coherent binding policy, actions will simply comprise a profligate shopping list.
To illustrate, we know what the average looks like—we can ask ChatGPT.
ChatGPT is OpenAI’s model that interacts in a conversational text-based mode. When prompted, ChatGPT will remind users that it ‘can only provide information and answers based on the data that [it] has been trained on.’ That data is immense, given the range and depth of answers it has provided to its over one million users since its release. We can fairly assume it has sampled numerous cybersecurity strategies, and assessments of those strategies.
That’s a reasonably comprehensive shopping list—and without the contestability, the hard questions, the guiding policy and the relentless prioritisation of good strategy, that’s as far as many will want to go. But comfort in a challenging, corroding environment will not suffice.
In short, the easy has been done. Now it’s time for the heavy lifting.
Related: Prepping for a cyber review.